[187556] in North American Network Operators' Group
Re: UDP Amplification DDoS - Help!
daemon@ATHENA.MIT.EDU (Tin, James)
Mon Feb 8 22:03:17 2016
X-Original-To: nanog@nanog.org
From: "Tin, James" <jtin@akamai.com>
To: Mitch Dyer <mdyer@development-group.net>
Date: Tue, 9 Feb 2016 02:58:27 +0000
In-Reply-To: <10e6b56b34b74f7a86cc7117555de973@AWS-EX01.devgru.local>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi Mitch.
My colleagues in the US dealt with something like this and I have dealt wit=
h something similar to this in Australia.
Does your customer happen to be a school district?
In our cases it turned out to be students buying Ddos as a service and targ=
eting the address which comes up when they go to www.whatismyip.com<http://=
www.whatismyip.com>.
So the attack would constantly change and follow the network when there was=
an IP block put in place at the upstream.
In my opinion, there are a few options to this:
1)The best solution is to use a comprehensive cloud based Ddos mitigation s=
olution.
2) Use a cgnat to dynamically map to different external addresses and chang=
e them dynamically when there is a Ddos, while putting he used addresses in=
a black hole.
3) Another could be to use an external proxy service where you proxy your o=
utbound requests to. So they will eventually become the target. However thi=
s moves the problem elsewhere and still exposes you to Ddos if they know yo=
ur Cpe address.
4) In combination with this, you can perform incident response check your l=
ogs, turn on authentication, so you know when users are browsing for whatis=
myip and Ddos attack services.
Sent from my iPhone
James Tin
APJ Principle Enterprise Security Architect
Akamai Technologies
+61 466 961 555
Level 7, 76 Berry St, North Sydney
Australia 2060
On 9 Feb 2016, at 13:27, Mitch Dyer <mdyer@development-group.net<mailto:mdy=
er@development-group.net>> wrote:
Hello,
Hoping someone can point me in the right direction here, even just confirmi=
ng my suspicions would be incredibly helpful.
A little bit of background: I have a customer I'm working with that is down=
stream of a 1Gb link that is experiencing multiple DDoS attacks on a daily =
basis. Through several captures I've seen what appear to be a mixture of SS=
DP and DNS amplification attacks (though not at the same time). The attack =
itself seems to target the PAT address associated with a specific site, if =
we change the PAT address for the site, the attack targets the new address =
at the next occurance. We've tried setting up captures and logging inside t=
he network to determine if the SSDP/DNS request originate within the networ=
k but that does not appear to be the case.
We've reached out for some assistance from the upstream carrier but they've=
only been able to enforce a 24-hour block.
I'm hoping someone with some experience on this topic would be able to shed=
some light on a better way to attack this or would be willing to confirm t=
hat we are simply SOL without prolonged assistance from the upstream carrie=
r.
Thanks in advance for any insight.
Mitch
